I've recently had my PC upgraded to Vista, which means it includes IIS7. The problem is that the ASP.NET website we're working on doesn't work anymore. I get an error because the application is trying to connect to the SQL Server with NT AUTHORITY/ANONYMOUS LOGON instead of my domain user, and anonymous isn't authorized. I've tried several things, but no solution yet:
- install and enable the 'IIS Metabase and IIS 6 configuration compatibility'
- enable Windows Authentication for this website
- created a different Application Pool with managed pipeline mode set to Classic
- enabled IIS6 WMI compatibility and IIS6 management console (getting desperate here)
In our web.config there's and in our machine.config there's . I've tried putting impersonate to false and entering my domain user and password in the machine.config (it used to be like this) but that didn't help either.
Are there things I'm missing? Has anyone else had a similar problem?
How does your application authenticate with SQL Server? Does it use SQL or Windows Auth? I hope you are trying to use Windows Auth. In that case, your IIS worker process should be running under that Windows user account. If not, it should at the least impersonate a Windows user account that has necessary access rights to SQL Server. If you have impersonation enabled and if you are using the right Windows user account and if SQL Server authenticates using Windows auth and if you are still unable to access SQL Server, you may be running into the classic double hop issue. In other words, you are trying to authenticate to IIS once and you are using the same crdentials to authenticate to the SQL Server over a network next(which is your second hop) and Windows does not allow that for security reasons.
I believe I have found a/the solution. At least it's working now. This is what I did:
The website is now running in a seperate application pool with Managed Pipeline mode set to classic, Load userprofile set to False and Identity set to custom and using a domain user (and password) that has access to the database.
Under 'authorization' of the website itself, I have Anonymous set to enabled and ASP.NET impersonate set to disabled.
in the web.config of the site is also set.
Credit where it's due, this site helped me.
I'm sorry to say I can't look into the issue any further. Indeed, it probably is something with the way we connected to SQL Server (Win Auth) because we've changed it now. Now we connect with username and password in the connection string and it's solved.
So I can't really say if you provided the answer, msvcyc, but I did vote on your solution. Thanks for the time and trouble.
Well, I recommend you migrate to Integrated mode if there is not too many troubles to enjoy the innovation it brings. :)
http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx
Related
I'm trying to track down why when the web app accesses a network drive, I see Network path not found (error 53). When I log into the server I can open up a file on that drive with no problem. But the application (asp.net) cannot. I was wondering if this was a permissions error and that lead me to try to find out what the usename of the app is and where I would find that out.
It depends on your OS version and your security settings. Your web-site should have an app pool assigned to it (which may be shared with other applications). By default in windows server 2008R2 the pseudo account ApplicationPoolIdentity is used, which is not really an account.
IIS Accounts
You can check under advanced settings for the app pool and see what it is using. I believe if you have impersonation set up in your web.config, the app pool will access resources using the credentials of whomever is using the application--you can use Kieran's snippet to get that information.
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
I found a lot of articles on internet about "Deploying ASP.NET website on IIS 7.0" and now i know that how to do it.
But unfortunately when i set website on the IIS, i get another error! At the first i got "IIS APPPOOL\TradeSite" error. but, when i changed IDENTITY of related Application Pools to LOCALSYSTEM it solved. After that i got new error message with this specification:
Server Error in '/' Application.
Cannot open database "TradeSite" requested by the login. The login failed.
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.
please help me how to fix this problem.
i add sites with this method:
copy published project to wwwroot folder of IIS
Add new web site in IIS and Set their port to a unique port number ex:8090
Change .Net framework version from 2.0 to integrated 4.0
Change process model identity to LOCALSYSTEM from advance setting menu
that's it. it was all the work that i did.
also, I read somewhere that you should open an connection to SQL, i don't know was it a correct solution or not, but i did it but again nothing changed.
Also i tested on both Server and Local IIS but the result was same.
it will be my pleasure that anyone help me on this issue.
Thanks in advance.
Is your TradeSite db hosted in SQL Server? If so, open up the database in SQL Server Management Studio, select Security, and ensure that Network Service has access to at least read from the database.
My intention is to access the SSAS Database without Windows authentication. The user outside the domain should be able to access the cube and built PIVOT tables around it. Thus I found that we can use HTTP access for this purpose.
I followed each and every step mentioned on the following links
http://msdn.microsoft.com/en-us/library/gg492140.aspx
http://bloggingabout.net/blogs/mglaser/archive/2008/08/15/configuring-http-access-to-sql-server-2008-analysis-services-on-microsoft-windows-server-2008.aspx
When I try to hit the URL in Mgmt Studio --> Analysis Services
http://localhost/olap/msmdpump.dll. I am getting the "Connection time out" and "404 error"
I went to MSDN forums for the same problem but no concrete results.
How do I test whether my SSAS 2008 is accessible with HTTP access.
Please help!!
I don't have a lot to go on from your question, but if I had to guess I'd say you probably didn't switch from integrated to classic in the application pool settings which left your handler mapping disabled giving you the 404.
I would start simple on your local development machine and follow the instructions allowing anonymous access to the site. Make sure that your site uses an application pool that has access to the cube in analysis services. Additionally, you cannot use the integrated pipeline in IIS, you will hve to use classic. When you create your script mapping (under Handler Mappings) in IIS, make sure that you follow the directions carefully from the following URL:
http://msdn.microsoft.com/en-us/library/gg492140.aspx
I just followed the instructions and it worked for me.
Switching on Anonymous authentication will work to grant access to the site, however I would suggest you use at least Basic HTTP authentication or even Windows Authentication. Just note, if you're using a remote SSAS instance (not on the same host), a double-hop authentication is required. For that, you will have to register SPNs and enable Kerberos authentication.
You find out how to do that by following the links referred to under
Microsoft - Configure HTTP Access to SSAS
Greetings,
Remo
I am developing an intranet ASP.NET web application that's configured to use Integrated Windows Authentication. My web app needs to check user entitlements using LDAP to get user memberships, etc.
The issue I noticed today is that, when I run my web app using IIS, sometimes the LDAP calls fail with strange errors, such as "Unable to contact the server..." ... or "...that domain doesn't exist..." (something along those lines, anyway). However, if I run my web app using Cassini, I don't get those errors.
If IIS is the issue, why would it fail some times and other times not? What does Cassini do different that IIS is not doing?
I'm using IIS 5.1 / Windows XP / Visual Studio 2008
Why is this happening, and how can I fix it?
Probably something to do with the fact that when you're running Cassini, it's your domain account that's querying the LDAP. It is strange that it would work in IIS sometimes though, and not others. Is the server registered on the network? What system account is IIS running under?
#James Johnson: I figured it out thanks to your comment, which got me thinking about my domain account... Finally, I found this post which points out that in order to connect to LDAP one needs to set Impersonation=True in web.config. It was working intermittently this morning, I think, because I was using Firefox instead of IE, which required me to enter my domain username and password.
The other strange thing was that my app worked fine in our development and stage environments even though my web.config is the same for all of them. I suppose the guys in the hosting group have this set at the machine.config level.